Scheduled Trivy Scan #140
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2020, 2024 Oracle and/or its affiliates. | |
| # | |
| # Licensed under the Universal Permissive License v 1.0 as shown at | |
| # https://oss.oracle.com/licenses/upl. | |
| # --------------------------------------------------------------------------- | |
| # Coherence Eclipse Plugin Actions Scheduled Trivy Scan | |
| # --------------------------------------------------------------------------- | |
| name: Scheduled Trivy Scan | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - '*' | |
| schedule: | |
| # Every day at midnight | |
| - cron: '0 0 * * *' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| # Checkout the source, we need a depth of zero to fetch all of the history otherwise | |
| # the copyright check cannot work out the date of the files from Git. | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup oras | |
| run: | | |
| VERSION="1.2.0" | |
| curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" | |
| mkdir -p oras-install/ | |
| tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/ | |
| sudo mv oras-install/oras /usr/local/bin/ | |
| rm -rf oras_${VERSION}_*.tar.gz oras-install/ | |
| - name: Get current date | |
| id: date | |
| run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
| - name: Download and extract the vulnerability DB | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db | |
| oras pull ghcr.io/aquasecurity/trivy-db:2 | |
| tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db | |
| rm db.tar.gz | |
| - name: Download and extract the Java DB | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db | |
| oras pull ghcr.io/aquasecurity/trivy-java-db:1 | |
| tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db | |
| rm javadb.tar.gz | |
| - name: Trivy Scan | |
| shell: bash | |
| run: | | |
| DIR=`mktemp -d` | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ${DIR} v0.51.2 | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy | |
| ${DIR}/trivy fs --cache-dir ${TRIVY_CACHE} --exit-code 1 . |